Explained: What we know of hacking group ModifiedElephant

As per the digital forensic investigation results publicly released by Arsenal Consulting, SentinelOne was able to uncover ‘a decade of persistent malicious activity’ that they attribute to a threat actor that has never been identified before: ModifiedElephant.

How does ModifiedElephant deploy malware to its targets? According to the report, ModifiedElephant operators have been infecting their targets using spearphishing emails with malicious file attachments over the last decade, with their techniques getting more sophisticated over time.

Spearphishing refers to the practice of sending emails to targets that look like they are coming from a trusted source to either reveal important information or install different kinds of malware on their computer systems.

ModifiedElephant typically weaponises malicious Microsoft Office files to deliver malware to their targets. According to SentinelOne, the specific method and payload included in the malicious files have changed over the years:

• In mid-2013, the actor(s) used emails containing executable files with fake double extensions (filename.pdf.exe)
• After 2015, the actor(s) moved on to using less obvious files with publicly available exploits, including those with .doc, .pps, .docx and .rar extensions. These attempts involved using legitimate documents in these formats to capture user attention while the malware executes 
• In the 2019 spearphishing attacks, operators began emailing links to files hosted externally. 

According to SentinelOne, lure documents often used the CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, and CVE-2015-1641 exploits which affected Microsoft Office Suite programmes, including multiple versions of Microsoft Word and office web apps. 

What does ModifiedElephant do to its victims’ devices?

The report terms the malware typically deployed by ModifiedElephant as both mundane and effective for its purpose: to obtain remote access to and unrestricted control of victims’ devices. 

NetWire and DarkComet, two publicly-available remote access trojans (RATs), were the primary malware families deployed by ModifiedElephant, according to SentinelOne. 

NetWire is a RAT focused on password stealing, keylogging and remote control capabilities. It has been in use since 2012 and was typically distributed through social engineering campaigns. Its distribution as a second payload using Microsoft Word documents is a fairly recent phenomenon. 

DarkComet is another RAT that can take control of a user’s system using a convenient graphical user interface. It was initially developed in 2008 by French infosec programmer Jean-Pierre Lesueur and can be used to spy on victims using screen captures, key-logging, or password stealing.

ModifiedElephant also sent android malware to its victims along with NetWire and DarkComet. This malware is an unidentified commodity trojan delivered as an APK file. The usage indicated that ModifiedElephant was attempting to get full coverage on the target across devices.

Who or what is ModifiedElephant? 

Although SentinelOne’s analysis allowed them to attribute a decade’s worth of malicious attacks to one single bad actor, it could not identify who that bad actor is. Possibilities range from it being a rogue hacker group acting to it being a state-sponsored actor. 

The analysis revealed that the group operates in an overcrowded target space where multiple actors are targeting the same victims and that it may have relations with other regional threat actors. The report mentions some interesting overlaps with other such hacking efforts:

• Multiple individuals targeted by ModifiedElephant have also been targeted by Pegasus and other mobile surveillance spyware
• ModifiedElephant’s phishing email payloads share infrastructure overlaps with Operation Hangover, an espionage network previously used in surveillance efforts against targets of interest to Indian national security. 

How do you protect yourself and your devices from ModifiedElephant?

While it is difficult to truly build a bulletproof defence against attacks employed by the likes of ModifiedElephant at an individual level, there are many precautions that can help reduce susceptibility to such attacks.

The first step is to ensure multi-factor authentication (MFA) to ensure that you or your associates’ email IDs and other accounts aren’t compromised in the first place. With MFA, you need two pieces of information, like a password and a randomly generated token, in order to log in to a system or account.

It only takes one weak link in a chain for an attacker to gain access to multiple accounts and devices. If you or your devices are compromised, attackers can leverage your devices and accounts to compromise those of your friends, family and coworkers. MFA could help protect the first weak link to ensure that the rest are not compromised

In the same vein, it is important to educate those around you about the dangers of cyberattacks such as spearphising and ensure that they remain suspicious about emails from unknown and known sources.

Another important security measure is to encrypt any sort of file that you sent over the internet. Attackers often use legitimate documents in order to trick their targets into downloading files that contain a malware payload. If they can’t access these documents in the first place, they won’t be able to package malware along with it.

Last but not the least, be alert and aware of your digital behaviour. If you believe that you or someone you know is at risk of being targeted by these kinds of cyber attacks, remain alert with every digital action you take.

You never know which email, message, file or link contains malware that could be used to compromise your device or your information. If you see something suspicious, even if it comes from a trusted source, confirm with them to ensure that it was indeed sent by the trusted source.

Newsletter | Click to get the day’s best explainers in your inbox